Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I configure the Threat Suppression Engine (TSE) via the LSM?

    • Updated:
    • 24 Aug 2017
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint SecBlade All
    • Platform:
Summary
The Threat Suppression Engine (TSE) is a line-speed hardware engine that contains all the functions needed for Intrusion Prevention, including IP de-fragmentation, TCP flow reassembly, statistical analysis, traffic shaping, flow blocking, flow state tracking and application-layer parsing of over 170 network protocols. 

The TSE reconstructs and inspects flow payloads by parsing the traffic at the application layer. As each new packet of the traffic flow arrives, the engine re-evaluates the traffic for malicious content. The instant the engine detects malicious traffic, it blocks all current and all subsequent packets pertaining to the traffic flow. The blocking of the traffic and packets ensures that the attack never reaches its destination. 

The combination of high-speed network processors and custom chips provide the basis for IPS technology. These highly specialized traffic classification engines enable the IPS to filter with extreme accuracy at gigabit speeds and microsecond latencies. Unlike software-based systems whose performance is affected by the number of filters installed, the highly-scalable capacity of the hardware engine allows thousands of filters to run simultaneously with no impact on performance or accuracy.
Details
Public
ParameterDescription
Connection Table
Timeout (TCP)
Specifies the global timeout interval for TCP traffic on the connection table. For blocked streams in the connection table, this value determines the time interval that elapses before the blocked connection is cleared from the connection table. Before the timeout occurs, any incoming packets for that stream are blocked at the IPS device. After the connection is cleared (the timeout interval expires), the incoming connection is allowed until traffic matches another blocking filter. Blocked streams can also be cleared from the connection table manually from the Blocked Streams page (Events -> Managed Streams -> Blocked Streams).
Connection Table
Timeout (non-TCP)
Specifies the global timeout interval for non-TCP traffic on the connection table.
Trust Table TimeoutSpecifies the global timeout interval for the trust table. This value determines the time interval that elapses before the trusted connection is cleared from the trust table.
Quarantine TimeoutSpecifies the global timeout for the quarantine table. For quarantined hosts in the quarantine table, this value determines the time interval that elapses before the quarantined host is cleared from the quarantine table. After the quarantined host is cleared (the timeout interval expires), quarantined addresses may be automatically released, if that option is selected.
Asymmetric NetworkSpecifies whether the IPS device is configured for an asymmetric network. When asymmetric configuration is enabled, the IPS device will not see both sides of a TCP connection. This option is enabled by default.
Logging ModeConfigure settings to prevent traffic-related event notifications (such as those generated when a triggered filter is configured with a Block+Notify or Permit+Notify action set) from causing network congestion.

Logging Mode: determines whether logging is enabled/disabled when the network becomes congested. Always indicates that the system continues logging even if traffic is dropped under high load. Disable if congested indicates the logging will be disabled when the system reaches the specified congestion percentage.

Congestion Percentage: can be configured if the disable logging option is selected. This value specifies the amount of network congestion that can occur before the system disables logging functions.

Disable Time: specifies the amount of time (default is10 minutes) that logging is disabled before the service is restarted. When the downtime expires, the system re-enables logging and displays the number of missed notifications.
Congestion
Notification
Specifies whether alert messages will be sent when the overall device congestion exceeds the specified threshold.
HTTP Response ProcessingSpecifies inspection of encoded HTTP responses.
  • Accelerated inspection of encoded HTTP responses - Hardware acceleration is used to detect and decode encoded HTTP responses.
  • Inspect encoded HTTP responses - Enables strict detection and decoding of encoded HTTP responses.
  • Ignore encoded HTTP responses - The device does not detect or decode encoded HTTP responses.
  • Enable URL & NCR encoding - Decodes and inspects encoded HTTP responses. Enabled by default. This feature will not work if Ignore encoded HTTP responses is selected.
DNS reputation
NXDOMAIN response
Allows the IPS to respond with NXDOMAIN (name does not exist) to clients that make DNS requests for hosts that are blocked.
IDS ModeWhen IDS mode is enabled, it adjusts the device configuration so that the device operates in a manner suitable for Intrusion Detection System (IDS) scenarios and filter configurations.
  • Performance protection is disabled.
  • Adaptive Filtering is set to Manual.
  • Filters currently set to Block are not switched to Permit, and Block filters can still be set.
When IDS Mode settings are changed, reboot the device for the change to take effect.

 

How to: Configure the Threat Suppression Engine (TSE)

On the IPS Preferences page, you can configure global settings for the TSE in the Configure Threat Suppression Engine section.

  1. From the LSM menu, click IPS -> Preferences.
  2. On the IPS Preferences page in the Configure Threat Suppression Engine (TSE) section, change the configuration parameters as required.
  3. Click Apply.

Reference: Local Security Manager User's Guide

 

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000087318
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.